We claim: 

1 1 . A method for preventing denial of service attacks over a data 

2 network including a plurality of traffic flows each formed by a plurality of data 

3 packets, the method comprising: 

4 scanning the contents of the data packets; 

5 verifying that the data packets conform to a set of predetermined 

6 requirements; 

7 checking if the data packet is associated with a validated traffic flow; and 

8 placing the data packet in a higher priority quality of service if the data 

9 packet is associated with a validated traffic flow and to a low priority quality of 
10 service if it is not associated with a validated^traffic flow. 

1 2. The method of Claim 1 wherein verifying includes insuring that the 

2 data packets reorder and reassemble according to a defined policy and insuring that 

3 the data packets conform to required parameters. 

1 3. The method of Claim 1 further comprising between verifying and 

2 checking: 

3 dropping the data packet if it does not conform to the set of predetermined 

4 requirements. 

1 4. The method of Claim 3 wherein scanning includes scanning of the 

2 data packet's header information and scanning the data packet's payload contents. 

1 5. The method of Claim 1 wherein the predetermined requirements 

2 include packet length, non-overlapping offset fields, and adherence to protocol 

3 standards. 

1 6. The method of Claim 5 wherein the validated traffic flows are 

2 identified by a state associated with each traffic flow. 
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1 7. A method of preventing denial of service attacks on a data network 

2 which includes a plurality of traffic flows each formed by multiple data packets 

3 having header and payload information, the method using a network device 

4 comprising a traffic flow scanning engine and a quality of service processor having 

5 a low priority queue and higher priority queues, the method comprising: 

6 scanning the header information using the traffic flow scanning engine; 

7 reordering and reassembling the data packets using the traffic flow scanning 

8 engine; 

9 flagging data packets that do not reorder or reassemble correctly to be 

10 dropped; 

1 1 scanning the payload contents using the traffic flow scanning engine; 

12 determining whether the data packets conform to a set of predetermined 

13 requirements; 

14 flagging data packets that do not conform to be dropped; 

15 checking if the data packets are associated with a validated traffic flow; 

16 and 

17 assigning data packets to a higher priority quality of service if the data 

18 packet is associated with a validated traffic flow and to a low priority quality of 

19 service if the data packet is not associated with a validated traffic flow, 

1 8. The network device of Claim 7 wherein the set of predetermined 

2 requirements include packet length, non-overlapping offset fields, and adherence to 

3 protocol standards. 

1 9. The method of Claim 7 wherein flagged data packets are dropped by 

2 the traffic flow scanning engine. 

1 10. The method of Claim 7 wherein flagged data packets are dropped by 

2 the quality of service processor. 

1 11. The method of Claim 7 wherein the validated traffic flows are 

2 identified by a state associated with each traffic flow. 
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1 12. A network device for preventing denial of service attacks on a data 

2 network which includes a plurality of traffic flows each formed by multiple data 

3 packets having contents including header information and payload information, the 

4 network device comprising: 

5 atraffic flow scanning engine operable to scan the header and payload 



6 information of the data packets, to associate each data packet with a particular 

7 traffic flow and to determine whether each traffic flow is a validated traffic flow or 

8 a non-validated traffic flow, wherein the traffic flow scanning engine is further 

9 operable to reorder and reassemble the data packets and to verify that the data 

10 packet conforms to predetermined requirements such that the traffic flow scanning 

1 1 engine produces a conclusion associated with each data packet; and 

12 a quality of service processor connected to the traffic flow scanning engine 

13 and operable to place the data packets into a quality of service queue from a 

14 plurality of quality of service queues based on the conclusion from the traffic flow 

15 scanning engine, wherein data packets from non-validated traffic flows are assigned 

16 to a low priority queue and data packets from validated traffic flow are assigned to a 

17 higher priority queue based on its contents. 



1 13. The network device of Claim 12 wherein the low priority queue is 

2 assigned a maYimiim percentage of network bandwidth. 

1 14. The network device of Claim 12 wherein data packets that do not 

2 reorder or reassemble correctly and data packets that do not conform to the 

3 predetermined requirements are dropped by the network device. 

1 15. The network apparatus of Claim 12 wherein the traffic flows are 

2 identified by a state associated with each traffic flow, the state representing whether 

3 the traffic flow is validated or non-validated. 

1 16. The network apparatus of Claim 12 wherein the set of predetermined 

2 requirements include packet length, non-overlapping offset fields, and adherence to 

3 protocol standards. 
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